The NPRM would have permitted covered entities to use and disclose protected health information for research-regardless of funding source-without individual authorization, provided that the covered entity obtained documentation of the following:

(1) a waiver, in whole or in part, of authorization for the use or disclosure of protected health information was approved by an Institutional Review Board (IRB) or a privacy board that was composed as stipulated in the proposed rule;

(2) the date of approval of the waiver, in whole or in part, of authorization by an IRB or privacy board;

(3) the IRB or privacy board had determined that the waiver, in whole or in part satisfied the following criteria:

(i) the use or disclosure of protected health information involves no more than minimal risk to the subjects;

(ii) the waiver will not adversely affect the rights and welfare of the subjects;

(iii) the research could not practicably be conducted without the waiver;

(iv) whenever appropriate, the subjects will be provided with additional pertinent information after participation;

(v) the research could not practicably be conducted without access to and use of the protected health information;

(vi) the research is of sufficient importance so as to outweigh the intrusion of the privacy of the individual whose information is subject to the disclosure;

(vii) there is an adequate plan to protect the identifiers from improper use and disclosure; and

(viii) there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers; and

(4) the written documentation was signed by the chair of, as applicable, the IRB or the privacy board.

The NPRM also proposed that IRBs and privacy boards be permitted to adopt procedures for "expedited review" similar to those provided in the Common Rule (Common Rule § ____.110) for records research that involved no more than minimal risk. However, this provision for expedited review was not included in the proposed regulation text.

The board that would determine whether the research protocol met the eight specified criteria for waiving the patient authorization requirements (described above), could have been an IRB constituted as required by the Common Rule, or a privacy board, whose proposed composition is described below. The NPRM proposed no requirements for the location or sponsorship of the IRB or privacy board. Under the NPRM, the covered entity could have created such a board and could have relied on it to review research proposals for uses and disclosures of protected health information for research. A covered entity also could have relied on the necessary documentation from an outside researcher's own university IRB or privacy board. In addition, a covered entity could have engaged the services of an outside IRB or privacy board to obtain the necessary documentation.

Absent documentation that the requirements described above had been met, the NPRM would have required individuals' authorization for the use or disclosure of protected health information for research, pursuant to the authorization requirements in proposed § 164.508. For research conducted with patient authorization, documentation of IRB or privacy board approval would not have been required.

The final rule retains the NPRM's proposed framework for permitting uses and disclosures of protected health information for research purposes, although we are making several important changes for the final rule. These changes are discussed below:

Documentation Requirements of IRB or Privacy Board Approval of Waiver

The final rule retains these documentation requirements, but modifies some of them and includes two additional documentation requirements. The final rule's modifications to the NPRM's proposed documentation requirements are described first, followed by a description of the three documentation requirements added in the final rule.

The final rule makes the following modifications to the NPRM's proposed documentation requirements for the waiver of individual authorization:

1. IRB and privacy board membership. The NPRM stipulated that to meet the requirements of proposed § 164.510(j), the documentation would need to indicate that the IRB had been composed as required by the Common Rule (§ ___.107), and the privacy board had been composed as follows: "(A) Has members with varying backgrounds and appropriate professional competency as necessary to review the research protocol; (B) Includes at least one member who is not affiliated with the entity conducting the research, or related to a person who is affiliated with such entity; and (C) Does not have any member participating in a review of any project in which the member has a conflict of interest" (§ 164.510(j)(1)(ii)).

The final rule modifies the first of the requirements for the composition of a privacy board to focus on the effect of the research protocol on the individual's privacy rights and related interests. Therefore, under the final rule, the required documentation must indicate that the privacy board has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests.

In addition, the final rule further restricts the NPRM's proposed requirement that the privacy board include at least one member who was not affiliated with the entity conducting the research, or related to a person who is affiliated with such entity. Under the final rule, the board must include at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with such entities.

The other documentation requirements for the composition of an IRB and privacy board remain the same.

2. Waiver of authorization criteria. The NPRM proposed to prohibit the use or disclosure of protected health information for research without individual authorization as stipulated in proposed § 164.508 unless the covered entity had documentation indicating that an IRB or privacy board had determined that the following waiver criteria had been met:

(i) the use or disclosure of protected health information involves no more than minimal risk to the subjects;

(ii) the waiver will not adversely affect the rights and welfare of the subjects;

(iii) the research could not practicably be conducted without the waiver;

(iv) whenever appropriate, the subjects will be provided with additional pertinent information after participation;

(v) the research could not be practicably be conducted without access to and use of the protected health information;

(vi) the research is of sufficient importance so as to outweigh the intrusion of the privacy of the individual whose information is subject to the disclosure;

(vii) there is an adequate plan to protect the identifiers from improper use and disclosure; and

(viii) there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers.

The final rule continues to permit the documentation of IRB or privacy board approval of a waiver of an authorization as required by § 164.508, to indicate that only some or all of the § 164.508 authorization requirements have been waived. In addition, the final rule clarifies that the documentation of IRB or privacy board approval may indicate that the authorization requirements have been altered. Also, for all of the proposed waiver of authorization criteria that used the term "subject," we replace this term with the term "individual" in the final rule.

Proposed waiver criterion ii (waiver criterion § 164.512(i)(2)(ii)(B) in the final rule) is revised as follows to focus more narrowly on the privacy interests of individuals, and to clarify that it also pertains to alterations of individual authorization: "the alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals." Under criterion § 164.512(i)(2)(ii)(B), the question is whether the alteration or waiver of individual authorization would adversely affect the privacy rights and the welfare of individuals, not whether the research project itself would adversely affect the privacy rights or the welfare of individuals.

Proposed waiver criterion iii (waiver criterion § 164.512(i)(2)(ii)(C) in the final rule) is revised as follows to clarify that it also pertains to alterations of individual authorization: "the research could not practicably be conducted without the alteration or waiver."

Proposed waiver criterion vi (waiver criterion § 164.512(i)(2)(ii)(E) in the final rule) is revised as follows to be more consistent with one of the Common Rule's requirements for the approval of human subjects research (Common Rule, § ___.111(a)(2)): "the privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to anticipated benefits if any to individuals, and the importance of the knowledge that may reasonably be expected to result from the research." Under criterion § 164.512(i)(2)(ii)(E), the question is whether the risks to an individual's privacy from participating in the research are reasonable in relation to the anticipated benefits from the research. This criterion is unlike waiver criterion § 164.512(i)(2)(ii)(B) in that it focuses on the privacy risks and benefits of the research project more broadly, not on the waiver of individual authorization.

Proposed waiver criterion viii (waiver criterion § 164.512(i)(2)(ii)(G) in the final rule) is revised as follows: "there is an adequate plan to destroy the identifiers at the earliest opportunity consistent with the conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law."

In addition, the final rule includes another waiver criterion: waiver criterion § 164.512(i)(2)(ii)(H). The NPRM proposed no restriction on a researchers' further use or disclosure of protected health information that had been received under proposed § 164.510(j). The final rule requires that the covered entity obtain written agreement from the person or entity receiving protected health information under § 164.512(i) not to re-use or disclose protected health information to any other person or entity, except: (1) as required by law, (2) for authorized oversight of the research project, or (3) for other research for which the use or disclosure of protected health information would be permitted by this subpart. For instance, in assessing whether this criterion has been met, we encourage IRBs and privacy boards to obtain adequate assurances that the protected health information will not be disclosed to an individual's employer for employment decisions without the individual's authorization.

3. Required signature. The rule broadens the types of individuals who are permitted to sign the required documentation of IRB or privacy board approval. The final rule requires the documentation of the alteration or waiver of authorization to be signed by (1) the chair of, as applicable, the IRB or the privacy board, or (2) a member of the IRB or privacy board, as applicable, who is designated by the chair to sign the documentation.

Furthermore, the final rule makes the following three additions to the proposed documentation requirements for the alteration or waiver of authorization:

1. Identification of the IRB or privacy board. The NPRM did not propose that the documentation of waiver include a statement identifying the IRB or privacy board that approved the waiver of authorization. In the final rule we require that such a statement be included in the documentation of alteration or waiver of individual authorization. By this requirement we mean that the name of the IRB or privacy board must be included in such documentation, not the names of individual members of the board.

2. Description of protected health information approved for use or disclosure. The NPRM did not propose that the documentation of waiver include a description of the protected health information that the IRB or privacy board had approved for use or disclosure without individual authorization. In considering waiver of authorization criterion § 164.512(i)(2)(ii)(D), we expect the IRB or privacy board to consider the amount of information that is minimally needed for the study. The final rule requires that the documentation of IRB or privacy board approval of the alteration or waiver of authorization describe the protected health information for which use or access has been determined to be necessary for the research by the IRB or privacy board. For example, if the IRB or privacy board approves only the use or disclosure of certain information from patients' medical records, and not patients' entire medical record, this must be stated on the document certifying IRB or privacy board approval.

3. Review and approval procedures. The NPRM would not have required documentation of IRBs' or privacy boards' review and approval procedures. In the final rule, the documentation of the alteration or waiver of authorization must state that the alteration or waiver has been reviewed and approved by: (1) an IRB that has followed the voting requirements stipulated in the Common Rule (§ ___.108(b)), or the expedited review procedures as stipulated in § ___.110(b); or (2) a privacy board that has reviewed the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any such entities, and the alteration or waiver of authorization is approved by the majority of privacy board members present at the meeting, unless an expedited review procedure is used.

For documentation of IRB approval that used an expedited review procedure, the covered entity must ensure that the documentation indicates that the IRB followed the expedited review requirements of the Common Rule (§ ___.110). For documentation of privacy board approval that used an expedited review procedure, the covered entity must ensure that the documentation indicates that the privacy board met the expedited review requirements of the privacy rule. In the final rule, a privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which disclosure is being sought. If a privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair. Use of the expedited review mechanism permits review by a single member of the IRB or privacy board, but continues to require that the covered entity obtain documentation that all of the specified waiver criteria have been met.

Reviews Preparatory to Research

Under the NPRM, if a covered entity used or disclosed protected health information for research, but the researcher did not record the protected health information in a manner that persons could be identified, such an activity would have constituted a research use or disclosure that would have been subject to either the individual authorization requirements of proposed § 164.508 or the documentation of the waiver of authorization requirements of proposed § 164.510(j).

The final rule permits the use and disclosure of protected health information for research without requiring authorization or documentation of the alteration or waiver of authorization, if the research is conducted in such a manner that only de-identified protected health information is recorded by the researchers and the protected health information is not removed from the premises of the covered entity. For such uses and disclosures of protected health information, the final rule requires that the covered entity obtain from the researcher representations that use or disclosure is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research, no protected health information is to be removed from the covered entity by the researcher in the course of the review, and the protected health information for which use or access is sought is necessary for the research purposes. The intent of this provision is to permit covered entities to use and disclose protected health information to assist in the development of a research hypothesis and aid in the recruitment of research participants. We understand that researchers sometimes require access to protected health information to develop a research protocol, and to determine whether a specific covered entity has protected health information of prospective research participants that would meet the eligibility criteria for enrollment into a research study. Therefore, this provision permits covered entities to use and disclose protected health information for these preliminary research activities without individual authorization and without documentation that an IRB or privacy board has altered or waived individual authorization.

Research on Protected Health Information of the Deceased

The NPRM would have permitted the use and disclosure of protected health information of deceased persons for research without the authorization of a legal representative, and without the requirement for written documentation of IRB or privacy board approval in proposed § 164.510(j). In the final rule, we retain the exception for uses and disclosures for research purposes but in addition require that the covered entity take certain protective measures prior to release of the decedent's protected health information for such purposes. Specifically, the final rule requires that the covered entity obtain representation that the use or disclosure is sought solely for research on the protected health information of decedent, and representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. In addition, the final rule allows covered entities to request from the researcher documentation of the death of the individuals about whom protected health information is being sought.

Good Faith Reliance

The final rule clarifies that covered entities are allowed to rely on the IRB's or privacy board's representation that the research proposal meets the documentation requirements of § 164.512(i)(1)(i) and the minimum necessary requirements of § 164.514.

In addition, when using or disclosing protected health information for reviews preparatory to research (§ 164.512(i)(1)(ii)) or for research solely on the protected health information of decedents (§ 164.512)(1)(iii)), the final rule clarifies that the covered entity may rely on the requesting researcher's representation that the purpose of the request is for one of these two purpose, and that the request meets the minimum necessary requirements of § 164.514. Therefore, the covered entity has not violated the rule if the requesting researcher misrepresents his or her intended use of the protected health information to the covered entity.

Additional Research Provisions

Research Including Treatment

To the extent that a researcher provided treatment to persons as part of a research study, the NPRM would have covered such researchers as health care providers for purposes of that treatment, and required that the researcher comply with all of the provisions of the rule that would be applicable to health care providers. The final rule retains this requirement.

Individual Access to Research Information

Under proposed § 164.514, the NPRM would have applied the proposed provision regarding individuals' access to records to research that includes the delivery of treatment. The NPRM proposed an exception to individuals' right to access protected health information for clinical trials, where (1) protected health information was obtained by a covered entity in the course of clinical trial, (2) the individual agreed to the denial of access when consenting to participate in the trial (if the individual's consent to participate was obtained), and (3) the trial was still in progress.

Section 164.524 of the final rule retains this exception to access for research that includes treatment. In addition, the final rule requires that participants in such research be informed that their right of access to protected health information about them will be reinstated once the research is complete.

Obtaining the Individual's Authorization for Research

The NPRM would have required covered entities obtaining individuals' authorization for the use or disclosure of information for research to comply with the requirements applicable to individual authorization for the release of protected health information (proposed § 164.508(a)(2)). If an individual had initiated the use or disclosure of his/her protected health information for research, or any other purpose, the covered entity would have been required to obtain a completed authorization for the use or disclosure of protected health information as proposed in § 164.508(c).

The final rule retains these requirements for research conducted with authorization, as required by § 164.508. In addition, for the use and disclosure of protected health information created by a covered entity for the purpose, in whole or in part, of research that includes treatment of the individual, the covered entity must meet the requirements of § 164.508(f).

Interaction with the Common Rule

The NPRM stated that the proposed rule would not override the Common Rule. Where both the NPRM and the Common Rule would have applied to research conducted by the covered entity-either with or without individuals' authorization-both sets of regulations would have needed to be followed. This statement remains true in the final rule. In addition, we clarify that FDA's human subjects regulations must also be followed if applicable.

Survey Disclaimer

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0990-0379. The time required to complete this information collection is estimated to average 5 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: U.S. Department of Health & Human Services, OS/OCIO/PRA, 200 Independence Ave., S.W., Suite 336-E, Washington D.C. 20201, Attention: PRA Reports Clearance Officer.